The Power of Preparation

The worst thing a business leader could say after the COVID-19 pandemic, says BYU Marriott management professor Paul Godfrey, is “I’m so glad that’s over. Back to business as normal.”

If anything, the pandemic showed that a business-as-normal approach wasn’t cutting it.

In PwC’s 2021 Global Crisis Survey, 70 percent of business leaders said they were negatively impacted by the pandemic, and a whopping 95 percent said that their crisis management plans need improvement.

“It’s time to ask, ‘Where did we get hit? Have we closed those holes?’” says Godfrey. “And then it’s time to start proactively looking at the future.”

In short, it’s time to talk corporate preparedness.

In business parlance, corporate preparedness has numerous synonymous terms, including business resilience, risk management, business continuity planning (BCP), and corporate readiness. Whatever you call it, preparedness is worth pursuing. That’s because with the right investment, such planning not only helps keep businesses afloat, it also puts them in a position to better help their communities and come out ahead of the competition. As Godfrey writes in his new book, Strategic Risk Management: New Tools for Competitive Advantage in an Uncertain Age, “Wise managers work not just to eliminate, mitigate, or transfer risk but also to leverage it.”

In the book, Godfrey and other experts share corporate-readiness blind spots and best practices. Alumni practitioners chime in, too, unpacking the No. 1 risk that keeps CEOs up at night and sharing successes, such as how prepandemic readiness efforts at American Express allowed the company to pivot and notch its best year yet.

“We’ve gotten really good at responding to crises, but we can’t respond our way out anymore; there are too many things going on,” says Eric McNulty, associate director of Harvard’s National Preparedness Leadership Initiative (NPLI). “You’ve got to focus on being ready.”

In the book, Godfrey and other experts share corporate-readiness blind spots and best practices. Alumni practitioners chime in too, unpacking the number one risk that keeps CEOs up at night and sharing successes, such as how prepandemic readiness efforts at American Express allowed the company to pivot and notch its best year yet.

“We’ve gotten really good at responding to crises, but we can’t respond our way out anymore; there are too many things going on,” says Eric McNulty, associate director of Harvard’s National Preparedness Leadership Initiative (NPLI). “You’ve got to focus on being ready.”

What’s a Pound of Prevention Worth?

It’s a topsy-turvy world out there, arguably now more than ever before.

At present, the United States is trying to rein in its highest inflation since 1982. A war rages in Ukraine. Markets are volatile. Supply-chain snags are still disentangling. Extreme and costly weather events are intensifying. The probability of extreme epidemics will increase threefold in the coming decades, reports an analysis published in the Proceedings of the National Academy of Sciences in August 2021.

The Collins Dictionary word of 2022, permacrisis, is a fair descriptor, says McNulty.

McNulty, who has authored numerous NPLI case studies on leadership in disasters such as the Boston Marathon bombing, Hurricane Sandy, and the Deepwater Horizon oil spill, came to this work as a result of a rescheduled trip.

“I was scheduled to be on a flight that hit the Twin Towers on 9/11,” he says, and it was a reflection point that redirected his career from product launches to crisis leadership—“work,” he says, “that can save lives.”

Leadership, of course, won’t prevent bad things from happening, but it can mitigate how bad things get as well as ensure that effective plans and precautions are taken beforehand.

Nevertheless, corporate preparedness plans often fall short, says McNulty, in large part because high consequence/low frequency threats are regarded largely as theoretical; when times are good, preparedness might be viewed as an unnecessary expense.

That, and we humans are actually terrible at estimating risk. Research by BYU Marriott professors actually backs this up.

Associate dean and information systems professor Bonnie Anderson is an expert on habituation; she works with a BYU neuroscientist to map how the brain responds to those annoying pop-ups on the computer screen that flag security risks. “We get so many notifications that are not serious concerns that our brain ends up tuning out the ones that are actually critical,” says Anderson. “From a preparation standpoint, it’s like when someone cries wolf. You start to tune it out.”

Further, sometimes it takes experiencing a particular disaster to learn from it, says organizational behavior and human resources professor Peter Madsen, who observed this principle at work while studying the US coal mining industry. Advice to change safety protocols—or even actual close-call events—were insufficient to marshal lasting prevention efforts.

The cost, however, is real.

There are tools out there to calibrate that cost, says McNulty. “What’s the cost for each day one of our facilities is down? What’s the expense every time we lose a worker to injury? What’s the cost of a cyber event? As you begin to add that up, what percentage are you willing to spend to mitigate those risks?”

It’s actually easier for businesses to know how long they can last if all the money coming in were to suddenly stop, says BYU Marriott finance alum Brandon Egan, former director of risk management at American Express. “The harder forecasting,” he says, “is when cash flow turns into an upredictable trickle,” as it did for some AmEx clients during the pandemic. Another financial blind spot he sees: failing to consider what your company would do if investors dried up. Do you have the necessary financial reserves, the right insurance, and other necessities in place to weather a recession, a lawsuit, a force of nature?

Preparedness efforts will help you protect your people, preserve your brand, hasten recovery, and avoid what is dubbed analysis paralysis, “allowing you to act with confidence and courage,” says McNulty.

In today’s uncertain world, the experts say, this type of investment is part of the cost of doing business. “It’s not going to contribute to your quarterly earnings,” says Godfrey, “but in terms of cutting costs five, ten years from now, boy, the readiness folks have got it right.”

Identify Your Risks

There’s a photo that hangs on the 11th floor of the Goldman Sachs (GS) New York City headquarters, and it’s a point of BCP pride. The photo shows an image of the Manhattan skyline in the middle of Hurricane Sandy, every skyscraper dark except the GS building at 200 West Street juxtaposed against a furious-gray sky. Every window is illuminated, powered by backup generators; a 10-foot wall of sandbags surrounds the building’s base.

And GS preparation isn’t confined to the Big Apple. At its Utah outposts, where the imminent threat is earthquakes, GS prepares by putting a hard hat and an emergency kit at each desk at its downtown Salt Lake City locations; the bank has two worksites in every location to ensure continuity if one facility is compromised.

In a similar manner, experts note that an essential piece of preparedness is identifying the most plausible emergencies in your geographic area and in your specific industry.

Then ask yourself what’s missing.

Natural disasters, inflation, market swings—these are some of the “obvious risks,” says McNulty. “You’ve also got to ask, ‘What are we not looking at?’”

During his organizational preparedness trainings around the world, McNulty asks participants, “What keeps you up at night?” Responses go well beyond keeping a facility running, ranging from staying out of the news media, dealing with an active shooter, or handling radicalized employees. “Organizations used to worry only about radical groups outside the organization and trusted everybody wearing their logo,” says McNulty, but the internet is a public square for a disgruntled employee to vent.

For his part, McNulty says he is shocked that one concern doesn’t come up more often: the effects of climate change. Eventually, he says, that will touch every enterprise in some way.

What are CEOs most worried about? McNulty consulted with the Disaster Recovery Institute International to survey nearly 200 C-suite executives and risk professionals, who ranked the scariest threats they face. At the top: sensitive data breaches, IT failures, and cyber attacks. And only 6 percent said that they have dedicated insurance coverage for these risks.

According to byu Marriott information systems alum Adam Wright, a managing director of cybersecurity at a global consulting firm, the fear is warranted.

Cyber: Its Own Beast

Wright loves to bungee jump and zipline, but he is so risk averse online that his employer of 20 years doesn’t even have some of Wright’s contact information, the kind that most individuals share freely. Wright is the one tasked with helping clients identify and protect their intellectual property and customer data.

“The reason I have a job, after all,” he says, “is because I know how data breaches happen.”

When he graduated from BYU with his master’s degree in 2003, positions such as his didn’t exist. Now they are so integral to business that the Securities and Exchange Commission is proposing that public companies be required to have cyber advisors on their boards.

“It’s that important,” says Wright.

The companies that address data protection the best don’t silo the responsibility—it’s not just the job of IT or cybersecurity departments. “Cyber risk really does belong to all individuals within the company,” says Wright, “and it needs to be evaluated in every business decision, whether it’s a merger and acquisition, a new product, pricing, negotiations, or any other discussion where data is involved.”

The biggest mistakes he sees companies making? Not knowing where their data is and treating all data the same. Gone are the days when a company housed all of its data on its own servers or mainframes. Today this data is often managed in third-party cloud platforms, and that data is stored on servers across multiple regions. Simultaneously, employees who once worked on in-office desktop computers are now on company devices all over the place, accessing a company’s data “at home, in a hotel, at a local café,” says Wright. That means companies need to have greater scrutiny of company devices, understand what data employees are accessing, and give access “only to what employees need, when they need it.”

Cybersecurity is an endless corporate readiness exercise, says Wright. He urges businesses to identify the threat actors that are targeting them and the motivations behind the attacks. Do they want your customers’ credit card info? Do they want to capture sensitive correspondence? Do they want your intellectual property?

“You cannot protect all of the data equally,” says Wright. Identify the critical data, he advises, then implement a layered security approach to secure it and be extremely vigilant about patching vulnerabilities.

Build a Crisis Team

The organizations that perform best when disaster hits, say the experts, are those that have a team in place beforehand.

First, you need your BCP people. And then you need your crisis team.

A large corporation, Godfrey says, should work to have an entire risk assessment team internal to the organization “whose sole job it is to scan the future and report to the board every six months.” For smaller, scrappier companies, someone has to wear the readiness hat, and it’s got to be someone vested in the long-term health of the organization—not an intern, not an entry-level employee.

“If the informants are at the bottom of an organization,” says Godfrey, “you can wind up with uncertainty reduction, where the message gets diluted going up the chain of command. The direct line to leadership is crucial.”

Polymaths who like hockey—that’s what you’re looking for when hiring BCP specialists, says Godfrey. You want people with a lot of interests who are a tad outspoken. Just as hockey players can smash each other up and then spend time together socially, he says, you need people to fight to get the threats that they are seeing onto your radar. “You’ve got to be able to have real debates over this stuff, and you have to be able to do it in a way that’s not toxic or super nasty,” Godfrey explains.

A good business continuity planner is likely not an optimist either, or if they are, they’ve learned to think negatively when duty calls, says Madsen. In several studies, he’s shown that negativity can be a skill. In one study, participants were told a hurricane had a 30 percent chance of hitting their house: Would they evacuate? Most stayed put, unless they were told a neighbor had incurred hurricane damage before. The bottom line, says Madsen, is you need someone to fully explore the worst-case scenario.

Doing so might just head off a crisis. In an April 2011 Harvard Business Review article, Madsen and his coauthors detail how, prior to Hurricane Katrina, Walmart’s business continuity managers did exactly that. Their infrastructure had yet to be devastated by a hurricane, but based on past hurricane paths, they braced for the worst. As Hurricane Katrina approached, they had already expanded their emergency command center staff and stockpiled supplies, famously outperforming local and federal responders. As a local sheriff said, “If the American government had responded like Walmart has responded, we wouldn’t be in this crisis.”

While business continuity specialists perform essential work, they don’t succeed alone. “BCP is not an ‘in case of emergency, break glass’ solution,” says McNulty. BCP is part of the solution—the catalyst that gets you to take action—but the actual crisis team is much broader, and it “should be identified, trained, exercised, and ready to go.”

A common mistake McNulty sees when disaster strikes: CEOs turn to their “star players,” picked for their functional expertise. But being good at your day job does not portend top performance in crises. “You have to look at emotional expertise,” McNulty says, intentionally selecting those who can remain calm in times of stress and ambiguity. “You may need your star players to keep the company going,” he adds; someone has to run the business while others run the crisis.

Once you have the crisis team identified, assign roles and gather biannually, or even quarterly, to practice working as a cohesive unit, says McNulty. You’re likely blending people from all kinds of departments and functions, many who have different decision-making methodologies.

No Business Too Small

To start food storage for a single household, “you wouldn’t run out and spend $500 on canned peaches,” says Godfrey. Likewise, he says, don’t panic if, especially as a small business, all the preparedness pieces aren’t in place yet.

“Don’t think you have to throw the entire Fortune 500 business continuity playbook into the dryer and shrink it down to your size,” adds McNulty.

There are simple and inexpensive things you can do now, including providing basic first aid and CPR training for all employees, McNulty suggests. One company he worked with had all of its employees back their vehicles into their parking spaces one day; research shows backing in reduces accidents and, in a true disaster, makes evacuation easier. It may sound insignificant, but it could reduce the accidents in your parking lot and protect your people elsewhere. “At a minimum, these sorts of things put your employees in a preparedness mindset,” he says.

In addition, think of your ecosystem. Who are your neighbors? Who does the same kind of work you do? Leverage your collective power by pooling resources for training, and link up for planning.

Another free exercise McNulty loves? Pull an article out of the newspaper and, during an employee lunch or a staff meeting, ask, “What would we do if this happened to us?”

Communications and Supply Chains

The experts can’t emphasize enough the importance of working through hypotheticals. IBM even has a mock newsroom set for its CEO to practice going live.

Preparedness takes practice, says Godfrey. “Training your employees is like having your two-year supply.” Then when situations arise, it’s all muscle memory.

IBM is exceptional in their communications endeavor, he continues. “Few firms actually think through their crisis communications in advance. They’re flat-footed in their response. They’re too slow, and then the lawyers begin to speak.” The company stays silent and “loses in the court of public opinion long before it loses in the court of law,” Godfrey says.

Once you've created a process, put it in writing: Who in the company issues a statement, who writes it, and who reviews it? How will you find and account for everyone in an emergency? Is there a protocol or checklist?

“If your crisis communications packet was last updated in 2015, it might as well have been developed in 1815,” he says. It may sound extreme, but consider all that has transpired since then, from #MeToo to George Floyd’s death to pronouns, he says. “It’s important to think through how audiences hear your message.”

Another huge consideration: supply chains. Pretty much everyone had a pandemic-related gnarl, so every business can and should take this quandary to heart, says Godfrey: “What do I start to do today to rethink my supply chain so I’m not completely exposed?”

Perhaps it means stocking an inventory of critical parts, or maybe it’s reshoring production so things don’t get stuck in a port. Godfrey observes that we spent three decades perfecting the just-in-time model, the management strategy that strives to produce only what will be used immediately, “but it will always be susceptible to disruptions,” he says.

Coming Out Stronger

A company that has done the readiness work will not only weather the storm, it could potentially capitalize on it, says Egan.

“When you say corporate readiness, well, ready for what?” he asks. “Sometimes it’s being ready so you’re in a position to get back in during the upswing of growth.” He shares his pandemic war story as an example. With everyone stuck at home, consumer spending dropped, and with less income, some American Express account holders were in distress.

“We had to pivot,” says Egan. Fortunately, the company had financial reserves in place that gave the business the freedom, while in pandemic limbo, to innovate. Since no one could travel, AmEx shifted from travel kickbacks to new card offers with incentives, such as Netflix, Disney+, and even gym memberships. “People loved it; people started flocking to the card,” says Egan. The company could have just gritted through the pandemic; instead, it sold more products than ever before.

A 2021 McKinsey report looked at what resilient companies did that others did not do in response to the pandemic. “Business-model innovation was by far the most important strategic lever,” the report concludes. Corporate readiness strategies tee up your company to innovate, says Egan.

Further, corporations that have stored up for such a time will be in a position to boost their communities—and their brands. Madsen and Godfrey have both published research on this: Madsen’s latest work in this area, published in the Strategic Management Journal in 2014, calls it “looking good by doing good.”

The finding may sound intuitive—donating after a disaster does a reputation good—but Madsen’s paper adds nuance: your stakeholders have to notice. To get their attention, the announcement of relief efforts has to be made shortly after the disaster, otherwise it gets lost in the pack (enter your prefab communications packet). Second, partner with a legitimate nongovernmental organization (NGO)—and it’s even better if the NGO publicizes your help.

And the twist? Madsen’s analysis shows that in-kind donations garner more attention than cash. That means your business performs services, the stuff it knows best. An example: When a 7.0-magnitude earthquake rocked Haiti, Verizon Wireless waived any fees for all donation-related text messages and announced free calling to and from the earthquake zone. “Although Verizon’s relief activities were, no doubt, prompted by compassion,” writes Madsen, “Verizon also received significant tangible benefits.”

Finally, if the last few years have exposed some readiness failings, take heart. “We find that organizations learn more effectively from failures than successes,” Madsen writes in his research, and “knowledge from failure depreciates more slowly than knowledge from success.”

_____

Written by Brittany Rogers
Illustrations by Eri Chow

About the Author
Brittany Rogers, a freelance author, lives in American Fork, Utah, with her husband and three children.